Privacy law and practice

This 28-month inquiry looked at the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. It resulted in the Final Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108).

During the ALRC’s extensive consultations around the country, the overwhelming message was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections. At the same time, people appreciate that other interests often come into the balance—such as freedom of speech, child protection, law enforcement and national security. Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world. And, of course, businesses want to be able to market effectively to current and potential customers, and to process data efficiently—including offshore.

The central theme in For Your Information (ALRC Report 108) is that, as a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience. It is often the case, however, that privacy rights will clash with a range of other individual rights and collective interests, such as freedom of expression and national security. International instruments on human rights, and the growing international and domestic jurisprudence in this field, all recognise that privacy protection is not an absolute. Where circumstances require, the vindication of individual rights must be balanced carefully against other competing rights—the ALRC’s final recommendations in ALRC 108 endeavour to do so.

The ALRC found that the Privacy Act has worked well to date, but that it now needs a number of refinements to bring it up to date with the information age. These days, information privacy touches almost every aspect of people’s lives, including medical records and health status, finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.

This Inquiry resulted in a three volume final report, containing 74 chapters and 295 recommendations for reform.

Key recommendations

Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.

Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information.

Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.

Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.

Improved complaint handling and stronger penalties:the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.

More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that there should be some expansion of the categories of information held by credit reporting agencies (‘more comprehensive credit reporting’), to include: the type of each current credit account opened; the date on which each current credit account was opened; the credit limit of each current account; and the date on which each credit account was closed. The ALRC also recommends that the Australian Government only amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.

Health privacy:apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important area. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research.

Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues.

Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach.

Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.